Disqus Breach: 17.5 Million Emails Exposed By Login Hack

17.5 million email addresses of users of blog comment service Disqus were stolen in 2012 hack. Photo: Disqus/Wikimedia Commons

Popular blog comment service Disqus announced Friday that it experienced a breach of its systems in 2012 that resulted in 17.5 million user email addresses and passwords being stolen by hackers.

The five-year-old incident that went undetected until recently also exposed the Disqus usernames associated with an individual's email, the date the account was created, and the date of last time a user logged in.

Frequent blog and website commenters are no doubt familiar with Disqus, which has been a popular WordPress plugin on sites that have a section for reader engagement. The third-party comment platform has been a staple of a number of well-trafficked sites.

According to Disqus, the hack of its database occurred sometime in July 2012, and was first brought to light on October 5 by an independent security researcher who discovered Disqus data online. Information exposed in the breach dated back as far as 2007.

While passwords for about one-third of the stolen user accounts were included in the breach, there is some good news and bad news regarding their potential exposure.

The good news is Disqus did not store the passwords in plaintext. The company used a hashing algorithm that included a salting function—a process that inserts random data into a password when it is stored in order to make it difficult for a hacker to crack.

The bad news is that Disqus did its hashing with the SHA1 algorithm—a previous web standard that has since been phased out after researchers discovered it was possible to crack the algorithm and unmask hashed information. Disqus has since switched to the more secure bcrypt algorithm for password hashing.

So far, Disqus has reported no evidence of an unauthorized login attempt in relation to the breach. As a safety precaution, the company automatically reset the passwords of all user account that were discovered to have been stolen.

Per usual, the biggest risk in a breach like this isn’t necessarily the exposed account itself being compromised but other accounts associated with a user. The damage that could be done by someone hijacking a person’s Disqus account is likely minimal—at worst it could give someone a bad reputation by posting malicious comments under their name.

If a person used the same email address and password to login to other accounts, though, a breach like this one could create additional concern. Any account with a reused password is at risk of being compromised. Users are advised to change the password of any account that may have had the same password as their Disqus account.

Disqus also warned since the email addresses were stored in plain text, users may experience an increase in spam or phishing attempts targeting their account.

The comment platform didn’t have any additional information regarding how the breach occurred, but Disqus did receive high marks for its disclosure of the unfortunate event.

The company published a full timeline of when it learned of the breach, how it confirmed its validity, and how it could affect its users—a stark contrast to how a company like Equifax, which waited 40 days before publicly revealing its breach, handled the situation.